Part 3: The Delicate Relationship between IT and OT
Welcome back to our blog series on cyber risk highlights in critical infrastructure. In part 1, we set the stage for the current cyber risk climate in the critical infrastructure sector. Part 2, we explained how control systems have become easy targets for cybercriminals in 2022. Threat actors no longer need expertise in the subject matter to disrupt and destroy equipment.
In this post, we continue our discussion on the increased capabilities of cyber criminals and explain how creating physical disruption through cyber means is possible even without using software frameworks targeting OT systems. Cyber-attacks that target the IT side of the business can easily have physical consequences through a domino effect of interdependencies.
IT as the Low Hanging Fruit
Even though adversaries aim to disrupt and destroy equipment by targeting OT systems, it’s important to emphasize that most critical infrastructure attacks begin with compromising IT systems. The ICS threat progression has multiple stages which can be roughly mapped to the cyber kill chain. Because understanding engineering and operations is an intensive endeavor, hackers will usually begin by first gaining access to the IT network. As they explore and familiarize themselves with the IT network, they may target employees responsible for OT, stealing intellectual property and engineering drawings before attempting to compromise control systems directly. Finally, once they gain enough knowledge, they take down control systems.
Often, it is not necessary to directly access control systems. As seen in recent cyber-attacks, hackers have realized control systems can easily be disrupted by leveraging dependencies in the IT environment.
Making Physical Impact by Leveraging Interdependencies
Organizations are not always mindful of the interdependencies between IT and OT. There’s quite a bit of documented collateral damage from IT attacks that have led to physical consequences. In the Colonial Pipeline system attack, for instance, hackers realized shutting down metering systems by using ransomware rendered operational technology useless. Colonial didn’t know how much gas was being delivered and could not bill customers.
It is important to remember that pipeline security events are not new, and past events are often strong predictors of future risks. In 2018, a supply chain attack disrupted a customer transaction service for a network of U.S. natural gas companies—Texas-based Energy Transfer Partners, LP. The entire pipeline was shut down due to this IT-based, third-party event.
In our interconnected cloud-first world, operational dependencies between IT and OT systems can quickly lead to operational impacts if not identified and planned for in advance. Examples of IT dependencies for OT operations include:
- The inability to process customer orders.
- The inability to generate customer bills.
- The inability to view and manage projects/customer workstreams.
Cybercriminals leveraged IT and OT interdependencies in the JBS cyber-attack as well. They, too, suffered a ransomware attack on their IT network and could not print labels on meat packages. As soon as your IT systems can’t print labels, you can’t sell the product. It’s a surprisingly common manufacturing scenario that can happen if IT systems are compromised. In this case, 20% of the world’s meat supply was held hostage.
How to Ensure your OT Business Operations are Resilient to Ransomware Threats
There are measures you can take today to ensure your OT business operations remain functional even if your IT systems are compromised. We welcome you to get started on your cybersecurity improvement journey in the Axio360 Platform. As a first step, begin by assessing your cybersecurity gaps by completing our free Ransomware Preparedness Assessment.
Stay tuned for part 4 of our series next week, as we shift our conversation to practical critical infrastructure cybersecurity solutions you can implement today.